Browser Re-direct / Hijack Issue

The Problem:

When web browsing, when I click on anything it will sometimes (at random) open a new tab from tabcontent.net before redirecting to another page with popups for downloadopensoftware.com (or sometimes linkagency.xyz).

It cycles through 1 of about 3 different types of virus pages in the new tab, such as:

· A page asking to click to update flash.
· A page that mentions that I am a Comcast cable communications customer (which is correct, so it must know that somehow)

I of course did not click anything in these pop-ups. I just close them (and close the subsequent annoying pop-up that forces me to confirm closing the page).

I first noticed this issue about 2 days ago when I was in the admin panel area of my wordpress site. For several hours I thought it was a hack on my website, but then tons of scans on my website and restoring website backups did nothing, and then I also noticed it was doing it on just about any website I visited while browsing.

I am not technical, but it appears to be injecting a cache object into any page I am on (at least this is suggested by my wordfence scans on my wordpress site which has recently been picking up malware in a cache/object folder on my site after this occurs. I delete it but it always comes back). I have only noticed it in Chrome so far which is what I mostly use (I only did limited testing in Firefox, I do not use IE / Edge). It seems to do it more often when I am clicking on certain websites (such as my wordpress site, or while visiting various pages trying to fix the problem. I have not noticed it on google or youtube yet), perhaps because it has already infected the page before.

When I came across your site, it sounded like this might be a browser re-direct / hijacking issue, so I followed the steps in your guide there first. That was unsuccessful in resolving it, so I did the rest of your instructions in your main malware removal guide.

I can't believe what seems like a relatively simple issue and only a moderate annoyance can be so difficult to get rid of. Please help, thank you!

Full disclosure:

Yesterday when I first started researching and tackling the problem, I ran about 10 different anti-virus / anti-malware / anti-adware scans from some of the most popular free programs (such as: avg, Malwarebytes, Spybot, spyware blaster, super-antispyware, hitman pro, jrt, bitdefender, ad-aware, adwcleaner, and ccleaner). This was all before I even came to majorgeeks and started going through your instructions. Each scan generally seemed to find a few things, but obviously nothing actually resolved the issue I had. This left me feeling rather hopeless about it, which is why I finally came to majorgeeks. I was able to dig out the logs from those first scans I think for all of them. I attached logs for 2 different scans for some of them. Sorry in advance if running these scans more than once screwed up the logs too much, I didn’t think to just come here first. I am just hoping this doesn’t prevent anyone from helping me. (I only provided logs from the programs instructed, but I might have some other anti-malware program logs if needed).

Note: I have also been using ccleaner for a while and I did run the registry cleaning tool prior to seeing your instructions about not doing that. I think some of the other scans I did probably also cleaned some of the registry errors as well (sorry). I do have registry backups from ccleaner is that helps any.

My system specs:

· Windows 10
· Chrome browser

 

More logs attached (5 attachments was the limit per post). Thanks.

 

Thanks for the help. Attached should be my fixed MGlogs.zip. I ran as admin, disabled all anti-virus, and I don't believe I have any UAC to disable for windows 10 if running as admin (as I understand it from one of the earlier instructions on this website I read).

I have done some additional testing on the other browsers now. So far still no issues there. I tried IE but it is just ungodly slow to the point where there must be something seriously wrong with it (latest version of IE 11). It was using like between 600mb to a gig of memory, and taking up 50-60% of my cpu power for just like 6 tabs. It was taking minutes to open pages too. I never used it before on any of machines, so not sure what the issue might be. Tried restarting to no avail. So that is probably not going to be a good solution for me.

Does Edge have the same security advantages as IE in your opinion? Unfortunately I can't use Edge permanently yet because it is so new there is no LastPass plugin for it yet which I need, but I would be able to use it in the future.

For now I did most of my testing with Firefox. I am like 80% confident the issue is in Chrome only now. But I will keep testing though with Firefox.

 

Okay so I reset Chrome to defaults. I had the issue appear soon afterward, but then I also restarted Chrome and I haven't had it pop up again since last night, when normally it would pop up every 30-60 mins of browser use. Keeping my fingers crossed.

I do wonder if it had something to do with an infected Chrome extension, because I did notice that something the reset did was turn off all of the extensions (and I left all but one of them off), so I wonder if that might have been it. Though I have not installed any extensions lately, and I only have a few extensions which all should be legit, so just speculation.

Only unfortunate part is the malicious code still hits my wordfence security plugin scans on my wordpress site and I just have to keep deleting it. I never confirmed if this issue was necessarily connected to my browser issue though, they just both happened to start at the same time so I assumed it was the same issue. So now I am also testing to see if I stop visiting my website on Chrome and use Firefox instead to see if it still gets picked up on my website scans.

I will reply again in a couple days or so to give update if further testing turned up anything, unless you have any further thoughts on things to try. Thanks.

 

Good news, I believe I have solved this mystery (with a great deal of your help of course, thank you).

I have a chrome extension called "Java for browsing" which appears to be the culprit. When it is disabled, the problem disappears. When enabled, the problem rears its ugly head again.

I think this possibly also makes sense of why disabling all the extensions the first time with the settings reset didn't quite do the trick, but then how restarting chrome afterward with it still disabled did work. Though assuming this is all correct, why it only started happening a few days ago is still unknown. Either it was disabled previously and something re-enabled the plugin somehow (which I find probably more likely), or the exploit just started being used recently (which I find to be less likely).

I assume the extension is legit (I could not find any reason to suggest otherwise), however clearly something is using a java exploit of some sort. Further research suggests that java exploits are not uncommon and many recommend disabling java in browsers for this reason (I know I am preaching to the choir here, but just sharing for others as this was new information for me that I was not previously aware of).

Also, the mystery related to the possible malicious software scans on my wordpress site is most likely a completely unrelated issue (I believe it is a false positive, generated from a recent plugin I installed when I first was investigating the browser issue).

I am like 80% confident at this point in time that this is what explains all of this. I need another day or two of further testing to confirm. Will update again later.

I assume there is nothing else I should do other than disable the java extension, but if there are any other suggestions I will of course gladly take them

 

Well it's been a few more days, and the issue has not come back since disabling the java plugin in chrome, so I think its confirmed that this issue has been resolved completely.

Thanks again for the help!